Smart Cities should aim for Cyber Resilience instead of Security
By Ian Yip, Chief Technology Officer, Asia Pacific, McAfee
With spending on technologies to enable Smart Cities in Asia Pacific (excluding Japan) predicted to reach $28.3 billion in 2018, the risk to infrastructure and citizen data is also set to increase at a rate that will be challenging to keep up with.
While citizens can expect to enjoy better services and efficiencies, Smart City infrastructure also introduces new avenues for attack, leaving cities vulnerable to cyber threats via the proliferation of smart devices.
Anticipating the threats of the Smart City landscape
Cybercriminals will increasingly find ways to attack a Smart City’s critical infrastructure. While the barrier to entry for would-be attackers today remains relatively high, this will only get lower as cities move towards becoming “smarter.”
The networks of critical infrastructure providers are particularly at risk, as they increasingly add Internet-enabled components to their industrial control networks. What was once “air-gapped”suddenly becomes part of the corporate network, which in turn is connected to the Internet.
While an attack on a corporate network may bring down applications, a cyber-attack on the industrial control networks of critical infrastructure providers could result in even greater disruption, such as citywide blackouts.
Key challenges on the road to resilient Smart Cities
A McKinsey report recently noted that when it comes to Smart Cities in South East Asia, it becomes a question of leadership. “Governments have a dual role to play. In addition to digitising their own processes and deploying some intelligent solutions on their own, they have to help the broader ecosystem evolve.”
At its core, the cyber challenges in a Smart City boil down to two things: a lack of security culture, and insufficient cyber education.
An improved culture of security led by governments, potentially aided by regulation, will go a long way towards improving the security of Internet of Things (IoT) devices. The majority of IoT devices currently ship with little or no security.
In addition, any consideration in terms of protecting the privacy of citizens in the design of devices or smart, connected systems is often ignored. This is particularly concerning given the increasing reliance on data analytics as IoT devices are deployed to public services.
When it comes to cyber education, today’s rapid rate of change makes it more challenging than ever to keep up with the potential ways cybercriminals conduct their attacks on the unsuspecting public.
While governments and industry need to play their part in helping to better educate people, citizens must take the initiative to prioritise cyber education
While governments and industry need to play their part in helping to better educate people, citizens must take the initiative to prioritise cyber education. A better-educated public increases the cost of business for cybercriminals, and forces manufacturers of smart devices to include security and privacy-by-design principles into their way of doing business.
Consumers must “vote with their feet” and only buy or support smart-enabled devices that have been built with acceptable security and privacy foundations.
Building the cyber resilient Smart City of the future
Smart Cities do not build themselves, nor will they protect themselves. Without collaboration between government and industry bodies, they will remain unnecessarily and unacceptably unsafe.All involved parties should focus on two goals: cyber resilience and safety. However, these goals need to balance with convenience and digital innovation.
Governments and industry alike must reframe conventional thinking about security in the context of Smart Cities. Most would agree that safety in the design of a Smart City is a non-negotiable core tenet. As digital technology is ubiquitous in any Smart City, it follows that cyber safety must be designed-in from the start. Through this lens, it is resilience that must be the goal, not security.
Singapore (the Smart City of 2018) is a good example of how governments can aim for, and build cyber resilience, yet remain highly convenient. One fold of its Digital Government Blueprint is “operating reliable, resilient and secure systems,” which outlines initiatives to strengthen the resilience of critical systems and heighten cybersecurity awareness among public officers.
Experience and recent cyber incidents have proven that no system is impenetrable. Smart Cities must prepare for the inevitability of an attack but minimise the impact when it occurs. If we assume everything in a Smart City is insecure, we have fewer expectations about the security of the infrastructure, and instead design controls around safety, availability, and continuity in the face of presumptively successful cyber-attacks.
One should not infer that security should be ignored; quite the opposite. Separating itself from the traditional approach to cybersecurity, cyber resilience focuses instead on the concept that controls are implemented in a prioritised manner based on non-negotiable core principles, instead of attempting to secure everything we can possibly think of.
A resilience-based approach will give us the best chance of ensuring Smart Cities of the future are safe, agile and operational before, during and after a cyber-attack.